Which methods would you expect to find used by almost any major corporation?
Which might likely only be justified at a financial institution?
Depending on the sensitivity and value of the data processed and stored at a data center, all of the 19 methods could be used by a corporation. For example, IBM is extremely concerned about the loss of data and trade secrets due to disasters and corporate espionage and employs all 19 methods.
However, most corporations do not employ all 19 methods. Thus, the following solution is an approximation of the methods that a typical corporation may employ and the more extensive methods that a financial institution would choose.
The methods that any corporation would use can also be employed at financial institutions, but are not checked to more clearly highlight the differences.
Extra methods justified at a Financial Institution
Firewalls are one of the most fundamental and important security tools. You are likely familiar with the software-based host firewall that you use on your laptop or desktop. Such firewalls should also be installed on every computer in an organization. However, organizations also need corporate-grade firewalls, which are usually, but not always, dedicated special-purpose hardware devices. Conduct some research to identify three different brands of such corporate-grade firewalls and write a report that addresses the following points:
Specifics of the solution will differ depending upon the brand identified. The instructor may wish to require students to turn in copies of their source materials. At a minimum, solution should clearly demonstrate that students understand the different types of firewalls and have read and understood the review of a product’s ease of configuration and ease of use.
Case 8.2 Developing an Information Security Checklist
Obtain a copy of COBIT (available at www.isaca.org) and read section DS5.
Design a checklist for assessing each of the 11 detailed information security control objectives. The checklist should contain questions to which a Yes response represents a control strength, a No response represents a control weakness, plus a possible N/A response.
Provide a brief reason for asking each question. Organize your checklist as follows:
Reason for asking
1. Is there regular security awareness training?
Training is one of the most important preventive controls because many security incidents happen due to either human error or social engineering.
Suggested solution (answers will vary, key is to address each objective)
COBIT Control Objective
Does the person responsible for information security report to the C-suite?
Is information security a topic at meetings of the Board of Directors?
Does an information security plan exist?
Do information security policies and procedures exist?
Are information security policies and procedures communicated periodically to all employees?
Do all employees have unique user IDs?
Are all employees required to use passwords?
Are there policies to ensure that passwords are sufficiently strong?
Are access rights assigned by employee role?
Are access rights approved by management?
Are there procedures for closing user accounts when an employee leaves the company?
Do employees who need administrative access have two accounts – one that is a limited account and the other with administrative rights?
Do employees routinely use only their limited user accounts when surfing the Internet?
Are there periodic vulnerability assessments?
Are there periodic penetration tests?
Is logging enabled?
Are logs regularly reviewed?
Is there a computer incident response team (CIRT)?
Does membership of the CIRT include all appropriate functions?
Is there a written incident response plan?
Has the plan been practiced this year?
Is documentation related to firewalls and IPS stored securely and with restricted access?
Are firewalls and other security devices protected with appropriate logical and physical access controls?
Is sensitive information encrypted?
Are there procedures for issuing and revoking encryption keys?
Do all computers run up-to-date anti-malware?
Are patches applied on a timely basis?
Are firewalls and IPS used to protect the perimeter?
Are firewalls used to segregate functions within the corporate network?
Are intrusion detection systems used?
Is sensitive information encrypted prior to transmission over the Internet?